I don't know. What is it?

But seriously, your password is obviously stronger than using a shorter "actual word" password. I doubt it would literally take years to crack if someone really, really wanted to, but I wouldn't think it's something to be concerned about.
posted by Kimothy at 5:23 AM on June 22, 2010

"So, like virtually all security modalities, the weakness comes down to the passphrase. WPA-PSK is particularly susceptible to dictionary attacks against weak passphrases. "

If you're using a randomly generated password, it sounds like you're pretty good.
posted by sharkfu at 5:39 AM on June 22, 2010

When you say your key is hexadecimal, do you mean that you only use characters [0-9][a-f]? If so, don't do that. The key can use almost the entire Ascii set, including upper/lower, digits, spaces, and punctuation. If you limit yourself to only [0-9][a-f] then you leave yourself vulnerable to rainbow table cracking.
posted by Rhomboid at 6:01 AM on June 22, 2010

There are about 1.15 x 10^77 possible hexadecimal strings of length 64. We're going to assume that an attacker would need to check about half of these before finding your key. Assuming they're doing this on a supercomputer (10^15 checks per second), it'll only take about 1.8 x 10^54 years. But actually the real bottleneck is your router, which will melt first.

That's why they won't do it that way, instead they'll break into your house and get your network key off of your computer. Or install a keylogger. Or send you some malware which will get your network key from your computer. And so on.
posted by anaelith at 6:16 AM on June 22, 2010

This doesn't answer the original question, but should anyone ever need a random password of any length, be sure to visit Steve Gibson's password generator, where you'll get passwords that are about as random as you're going to get using a computer.
posted by Wild_Eep at 6:47 AM on June 22, 2010 [3 favorites]

I don't think you have anything to worry about. There are really two different kinds of situations you might need to protect against... the first is strangers leeching your bandwidth. Could be neighbors or war-drivers, anybody looking for free web access. Usually any kind of security is enough to stop these guys; they'll look for the low-hanging fruit and move on until they find something open and unsecured.

The second is if you have sensitive data stored on your network that you need to keep out of the hands of people who are intentionally targeting you. Corporate spies working for the competition, that sort of thing. The password you're using is more than enough to stop most of these people, unless we're talking about a high-profile Fortune 500 corporate network or something, where your enemies are willing to spare no expense to get the data they want. In those circumstances you need to be worrying about a lot more than wifi passwords; you need serious network architecture and IT staff monitoring it 24/7. I'm guessing that since you're asking MeFi instead of your networking manager, this isn't your situation. And therefore, you have nothing to worry about.
posted by The Winsome Parker Lewis at 7:16 AM on June 22, 2010

And remember that you can also do MAC address filtering. While not entirely undefeatable, it's another layer of security definitely worth considering.
posted by papafrita at 8:06 AM on June 22, 2010

http://www.aircrack-ng.org/doku.php?id=cracking_wpa
posted by low affect at 8:12 AM on June 22, 2010

Saving some sort of significant technical innovation or flaw in the crypto implementation, you're fine, for all practical purposes.

P.S. - SSID hiding and MAC filtering are trivial to circumvent. Not worth the hassle.
posted by kjs3 at 8:18 AM on June 22, 2010

From a broader perspective, if you have a serious interest in security, then you need to NOT use wireless. Wireless is convenient, yes, but it also allows anyone sitting nearby to sniff your bizness.

Your connection is secure today. But who knows what tomorrow will bring? Just because only the NSA could crack your key today doesn't mean that your neighbor's 12 year-old won't be able to crack it tomorrow with a homegrown beowulf cluster, the infinite free time of the young and enthusiastic, and a sweet new tool that some clever person invents.

Cat5 is ugly and somewhat awkward, but it's secure. (And as a bonus, it's faster.)
posted by ErikaB at 10:06 AM on June 22, 2010 [1 favorite]

^W5V%LdY8IiQo!XmKnpqJjJJN%tJpZ#9a8dwd!a2#IrZ4bEi02fuQjOTzwHmHI@X

Great. For the record that is not hexidecimal.

Wireless is convenient, yes, but it also allows anyone sitting nearby to sniff your bizness.

Only if you decide to let them. You can use https, or you can re-flash your router with a firmware that includes an OpenVPN client (e.g. DD-WRT) and set up an encrypted tunnel between the client and the router such that an eavesdropper can not tell what you're doing.

your neighbor's 12 year-old won't be able to crack it tomorrow with a homegrown beowulf cluster

There would have to be a significant change in technology to go from the current state of 'millions of CPU years' to that, and it would be major news if that happened.
posted by Rhomboid at 10:36 AM on June 22, 2010

And just to put some numbers to it, assuming a password of length 63 from the entire ascii printable set would be 95⁶³ or about 4 * 10¹²⁴ combinations. Taking the above quoted 600 keys per second, that comes to about 10¹¹⁴ years on average to crack. Even if you had a computer a million times faster than current technology and you had a million of them, that's still 10¹⁰² years. I haven't run the numbers but I'm pretty sure that from Landauer's principle you can show that there isn't even enough energy in the entire universe to perform such a calculation.
posted by Rhomboid at 10:55 AM on June 22, 2010 [1 favorite]

IANAC, but it seems like the WPA2 protocol hashes the user-input keyphrase down to a 256-bit key.

So it seems like a savvy attacker would try to guess the underlying 256-bit key (around 1.15 * 10⁷⁷ possible combinations) rather than the keyphrase (4 * 10¹²⁴ combinations).

So yeah, still definitely secure, still not crackable for several centuries even naively assuming that Moore's law continues at its current pace (quantum computing or, more likely, a now-unknown protocol flaw may make it crackable alarmingly sooner), but the underlying crypto implementation seems to indicate that there is no additional security to be had if you make your keyphrase longer than 39 perfectly random characters (assuming you're choosing from the 95 printable ASCII characters).
posted by Dimpy at 3:04 PM on June 22, 2010

There would have to be a significant change in technology to go from the current state of 'millions of CPU years' to that, and it would be major news if that happened.

Let's meet back in this thread when it happens. Moore's law, and all!

Recall that WPA2-PSK is only the latest in a long series of security protocols, all of which were eventually cracked. It's a war of escalation; your only hope is to either keep running faster than The Other Guy, or to opt out (e.g. by using a wired connection).
posted by ErikaB at 11:12 AM on June 23, 2010

SSL is also one of a "long series of security protocols" and yet I don't see anyone clamoring to exclaim that you shouldn't access your banking site using it because someone might one day find a weakness there. So is RSA/DSA, and yet nobody is screaming that we shouldn't sign or encrypt messages with GPG/PGP. If your contention is that the possibility of a security researcher finding a weakness in the future means that it is not safe today then you'd better just go live in a unibomber shed in the middle of nowhere because everything on the modern networked landscape is based on cryptographic algorithms. Saying that because WEP was shitty then WPA2 must also be shitty is like saying that because MD4 turned out to be crap means no one should use SHA-1.

And a wired connection does not opt you out of anything. If you have a cable internet connection then all the traffic for you and everyone else on your block is flowing through that cable, and the only thing stopping someone from eavesdropping on all of it is the firmware in the cable modem, and we all know no one would ever tamper with that. Or maybe I rent a server at the same datacenter as a site that you use frequently, and then I run a packet capture program in conjunction with an ARP spoofing algorithm to let me view traffic on the other ports of the switch that I'm connected to.
posted by Rhomboid at 12:22 PM on June 23, 2010

This thread is closed to new comments.